When I set that value from my code, the value gets written into the database correctly. But, and that is my problem, when I get the value (via getter or \Doctrine\Common\Util\Debug::dump()), it always gives me a number with maximum 14 digits, and it rounds the value. I read the record with the default findById().

eg: with value 1234567890.012345678901234567890123456789 I have 1234567890.0123
eg: with value 890.0123456789012345678901234567890123456 I have 890.01234567890

I of course want all digits, not just 14. The field in MySQL is declared like this:

someValue decimal(40,30) NOT NULL,

When I get the value with raw PHP and mysql_query(), it returns correctly.

It seems like the problem is that Doctrine returns a float: ["someValue":protected]=> float(234567890.01235)

Prior to 5.3.6, the MySQL PDO driver ignored the character set parameter to options. Due to MySQL's C api (and MySQLND), this is required for the proper function of mysql_real_escape_string() (the C API call). Since PDO uses the mres() C call for PDO::quote(), this means that the quoted string does not take into account the connection character set.

Starting with 5.3.6, that was fixed. So now if you pass the proper character set to PDO via driver options, sql injection is impossible while using the PDO::quote() api call.

There are 2 issues to fix. First, the documentation does not indicate that you can pass the `charset` option to the MySQL Driver. This should be fixed so that users are given the proper option to set character sets.

Secondly, `Connection::setCharset()` should be modified for MySQL to throw an exception, since the character set is only safely setable using the DSN with PDO. This is a limitation of the driver and could be asked as a feature request for the PHP core. Either that, or a big warning should be put on the documentation of the API to indicate the unsafe character set change

Also note that prepared statements in PDO will suffer the same bug since PDO always emulates prepared statements for the mysql driver (even though it fully supports them in the source). See: http://bugs.php.net/bug.php?id=54638

The DBAL submodule uses an outdated version of the Console component (before the switch to private properties). But the Migrations project defines its command using the latest interface which means that it cannot be used with the DBAL out-of-the-box as it calls the getApplication method which does not exist in the old version of the component.

"Consider the previous query, now parameterized to fetch only a single article by id. Using ext/mysql (still the primary choice of MySQL access for many developers) you had to escape every value passed into the query using mysql_real_escape_string() to avoid SQL injection:

Please, do not rely on MySQL default links when discussing security issues. One of major differences between the mysql and the later mysqli extension is that mysqli forces users to explicitly specify a connection handle. There is no concept of default links and magical global connection handles in mysqli any more. The convenience of not having to specify a connection handle has been removed from mysqli. This was done to increase security, for example, when escaping strings. Escaping needs to take the current charset of the connection into account. Thus, it is recommended to explicitly specify the connection and so not use default connection.